Home Tags Transport Layer Security (TLS)

Tag: Transport Layer Security (TLS)

Google Chrome’s HTTPS ban-hammer drops on WoSign, StartCom in two months

Substandard certs, already in partial exile, soon to be shunned completely Google in two months will conclude its prolonged excommunication of misbehaving SSL/TLS certificate authorities WoSign and subsidiary StartCom, a punishment announced last October.…

VU#768399: HPE SiteScope contains multiple vulnerabilities

HPE's SiteScope is vulnerable to several cryptographic issues,insufficiently protected credentials,and missing authentication.

Popular RADIUS sever exploitable with TLS session caching

'Inner authentication' has bad karma, allows strangers to log in without credentials Sysadmins with FreeRADIUS in their boxen need to run in an upgrade, because there's a bug in its TTLS and PEAP implementations.…

Popular RADIUS server exploitable with TLS session caching

'Inner authentication' has bad karma, allows strangers to log in without credentials Sysadmins with FreeRADIUS – the most widely deployed Remote Authentication Dial-In User Service server – in their boxen need to run an upgrade because there's a bug in its TTLS and PEAP implementations.…

Intrinsic ID Unveils Bold New Authentication Security for IoT Devices

SPARTAN Cloud is the first security product that enables secure connections to AWS, Azure and Google Cloud based on Transport Layer Security (TLS).

Microsoft finally bans SHA-1 certificates in Internet Explorer, Edge

The Tuesday updates for Internet Explorer and Microsoft Edge force those browsers to flag SSL/TLS certificates signed with the aging SHA-1 hashing function as insecure.

The move follows similar actions by Google Chrome and Mozilla Firefox earlier this year.Browser vendors and certificate authorities have been engaged in a coordinated effort to phase out the use of SHA-1 certificates on the web for the past few years, because the hashing function no longer provides sufficient security against spoofing.[ Safeguard your data! The tools you need to encrypt your communications and web data. • Maximum-security essential tools for everyday encryption. • InfoWorld's encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005.

The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made -- for example, for outdated payment terminals.To read this article in full or to leave a comment, please click here

Symantec promises audit-fest to placate Google trust reduction plans

TLS certificate vendor says it will even audit its previous audits to prevent having Google reduce its trust on Symantec certificates.

DNS record will help prevent unauthorized SSL certificates

In a few months, publicly trusted certificate authorities will have to start honoring a special Domain Name System (DNS) record that allows domain owners to specify who is allowed to issue SSL certificates for their domains.The Certification Authority Authorization (CAA) DNS record became a standard in 2013 but didn't have much of a real-world impact because certificate authorities (CAs) were under no obligation to conform to them.[ Expand your security career horizons with these essential certifications for smart security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]The record allows a domain owner to list the CAs that are allowed to issue SSL/TLS certificates for that domain.

The reason for this is to limit cases of unauthorized certificate issuance, which can be accidental or intentional, if a CA is compromised or has a rogue employee.To read this article in full or to leave a comment, please click here

Cyber-Thieves Using Persistent Bot to Steal Gift Card Balances

DAILY VIDEO: Cyber-thieves using GiftGhostBot to steal gift card balances; Google threatens to distrust Symantec SSL/TLS certificates; Google warns users it plans to remove SMS texting from Hangouts; and there's more.

Google Threatens to Distrust Symantec SSL/TLS Certificates

Google is warning that it intends to deprecate and remove trust in Symantec-issued SSL/TLS certificates, as Symantec shoots back that the move is unwarranted.

Google Slams Symantec for ‘Failures’ in SSL/TLS Certificate Process

Google Chrome engineers railed on Symantec for allegedly issuing thousands of security certificates that had not been properly validated.

Google to Symantec: We don’t trust you anymore

Security teams, network administrators, and operations teams have some busy days ahead.

Google’s Chrome development team is fed up with Symantec as a certificate authority, and has announced plans to no longer trust current Symantec certificates.In the past 18 months, Google has tangled repeatedly with Symantec over the way it issues transport layer security (TLS) certificates, with Symantec promising to do better.

The latest incident--an investigation into 127 mis-issued certificates--ballooned into “at least 30,000, issued over a period spanning several years,” Ravi Sleevi, a software engineer on the Google Chrome team, wrote on the Blink online forum. As a result, the Chrome developers “no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.”To read this article in full or to leave a comment, please click here